Smishing is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information or sending money to cybercriminals. The term “smishing” is a combination of “SMS”—or “short message service,” the technology behind text messages—and “phishing.”
Smishing is an increasingly popular form of cybercrime. According to Proofpoint’s 2023 State of the Phish report (link resides outside ibm.com), 76 percent of organizations experienced smishing attacks in 2022.
Several factors have contributed to a rise in smishing. For one, the hackers perpetrating these attacks, sometimes called “smishers,” know that victims are likelier to click text messages than other links. At the same time, advances in spam filters have made it harder for other forms of phishing, like emails and phone calls, to reach their targets.
The increase of bring-your-own-device (BYOD) and remote work arrangements have also led to more people using their mobile devices at work, making it easier for cybercriminals to access company networks through employees’ cell phones.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
Smishing attacks are similar to other types of phishing attacks, in which scammers use phony messages and malicious links to fool people into compromising their mobile phones, bank accounts or personal data. The main difference is the medium. In smishing attacks, scammers use SMS or messaging apps to conduct their cybercrimes rather than emails or phone calls.
Scammers choose smishing over other types of phishing attacks for various reasons. Research shows that people are likelier to click links in text messages. Klaviyo reports that SMS click-through rates hover between 8.9 percent and 14.5 percent (link resides outside ibm.com). By comparison, emails have an average click rate of 1.33 percent, according to Constant Contact (link resides outside ibm.com).
In addition, scammers can increasingly mask the origins of smishing messages by using tactics such as spoofing phone numbers with burner phones or using software to send texts by email. It's also harder to spot dangerous links on cell phones. For instance, on a computer, users can hover over a link to see where it leads, but on smartphones, they don't have that option. People are also used to banks and brands contacting them over SMS and receiving shortened URLs in text messages.
In 2020, the Federal Communications Commission (FCC) mandated that telecom companies adopt the STIR/SHAKEN protocol (link resides outside ibm.com), which authenticates phone calls and is the reason why some mobile phones now display "scam likely" or "spam likely" messages when suspicious numbers call. But even though STIR/SHAKEN made scam calls easier to spot, it did not have the same effect on text messages, leading many scammers to shift their focus to smishing attacks.
Like other forms of social engineering, most types of smishing attacks rely on pretexting, which involves using fake stories to manipulate victims’ emotions and trick them into doing a scammer’s bidding.
Scammers might pose as the victim’s bank alerting them to a problem with their account, often through a fake notification. If the victim clicks the link, it brings them to a fake website or app that steals sensitive financial information like PINs, login credentials, passwords and bank account or credit card information. In 2018, a group of scammers (link resides outside ibm.com) used this method to steal USD 100,000 from Fifth Third Bank customers.
Scammers might pretend to be police officers, IRS representatives or other government officials. These smishing texts often claim the victim owes a fine or must act to claim a government benefit. For example, at the height of the COVID-19 pandemic, the Federal Trade Commission (FTC) warned of smishing attacks (link resides outside ibm.com) that offered tax relief, free COVID tests and similar services. When victims followed links in these texts, scammers stole their social security numbers and other information they could use to commit identity theft.
Attackers pose as customer support agents at trusted brands and retailers like Amazon, Microsoft or even the victim’s wireless provider. They usually say that there is a problem with the victim’s account or an unclaimed reward or refund. Typically, these texts send the victim to a fake website that steals their credit card numbers or banking information.
These smishing messages claim to come from a shipping company such as FedEx, UPS or the US Postal Service. They tell the victim there was a problem delivering a package and ask them to pay a “delivery fee” or sign in to their account to correct the issue. Then the scammers take the money or account information and run. These scams are common around the holidays when many people wait for packages.
In business text compromise (similar to business email compromise, except by SMS message), hackers pretend to be a boss, coworker or colleague, vendor or attorney who needs help with an urgent task. These scams often request immediate action and end with the victim sending money to the hackers.
Scammers send a text that appears to be intended for someone other than the victim. When the victim corrects the scammer’s “mistake,” the scammer strikes up a conversation with the victim. These wrong number scams tend to be long-term, with the scammer trying to earn the victim’s friendship and trust through repeated contact over months or even years. The scammer may even pretend to develop romantic feelings for the victim. The goal is to eventually steal the victim’s money through a fake investment opportunity, a request for a loan, or a similar story.
In this scam, called multifactor authentication (MFA) fraud, a hacker who already has a victim's username and password tries to steal the verification code or one-time password required to access the victim's account. The hacker might pose as one of the victim’s friends, claim to have been locked out of their Instagram or Facebook account, and ask the victim to receive a code for them. The victim gets an MFA code—which is actually for their own account—and gives it to the hacker.
Some smishing scams trick victims into downloading seemingly legitimate apps—for example, file managers, digital payment apps, even antivirus apps—that are in fact malware or ransomware.
Phishing is a broad term for cyberattacks that use social engineering to trick victims into paying money, handing over sensitive information, or downloading malware. Smishing and vishing are just two kinds of phishing attacks that hackers can use on their victims.
The main difference between the different types of phishing attacks is the medium used to carry out the attacks. In smishing attacks, hackers target their victims exclusively using text messages or SMS—whereas, in vishing attacks (short for “voice phishing”), hackers use voice communication like phone calls and voicemails to pose as legitimate organizations and manipulate victims.
Many cybersecurity experts believe smishing will grow more common in the coming years. Proofpoint CISO Lucia Milică (link resides outside ibm.com) thinks smishing tools will pop up in malware marketplaces, allowing less technically savvy scammers to send malicious texts.
Gartner predicts (link resides outside ibm.com) a rise in “multichannel” phishing attempts that combine text, email, phone calls and other communication channels. For instance, the Lazarus Group, a hacker gang backed by North Korea, has been known to use multichannel tactics. The group used fake LinkedIn profiles to pose as recruiters for cryptocurrency exchanges (link resides outside ibm.com), contacting victims under the guise of discussing job openings and then moving the conversations off LinkedIn to SMS or WhatsApp, where they tricked them into downloading trojan horses or other malware.
The FCC (link resides outside ibm.com) is considering a rule requiring wireless providers to block spam texts. But in the meantime, individuals and companies can take critical steps to protect themselves:
Mobile cybersecurity solutions: Android and iOS operating systems have built-in protections and functions, like blocking unapproved apps and filtering suspicious texts to a spam folder. At the organizational level, companies can use unified endpoint management (UEM) solutions to set mobile security controls and policies.
Security awareness training: Training people to recognize the warning signs of cyberattacks and smishing attempts—such as unusual phone numbers, unexpected URLs and a heightened sense of urgency—can help protect an organization. Training can also set rules for handling sensitive data, authorizing payments and verifying requests before acting on them.
Stop mobile security threats on any device while creating frictionless experiences for users and keeping IT and security teams efficient.
Detect ransomware before it can hold your data hostage—and take immediate, informed action to prevent or minimize the effects of the attack—with IBM Security® QRadar® SIEM.
Improve investigation and triage of alerts with IBM Security QRadar Suite, a modernized selection of security technologies featuring a unified analyst experience and embedded AI and automation.
Phishing scams trick victims into divulging sensitive data, downloading malware and exposing themselves or their organizations to cybercrime.
Social engineering attacks rely on human nature rather than technical hacking to manipulate people into compromising their personal security or the security of an enterprise network.
Mobile device security refers to being free from danger or risk of an asset loss or data loss using mobile computers and communication hardware.